Selecting the right SSL certificate is critical for securing your website, building visitor trust, and meeting compliance requirements. An incorrect choice can lead to service interruptions, security vulnerabilities, or unnecessary costs. This article provides a scenario-driven quick-match guide and a structured, parameter-based decision process to help you identify the required validation level, domain type, encryption algorithm, and brand, and select an optimal solution that balances security, compatibility, and cost-effectiveness.
In late June 2024, Certificate Management Service renamed free SSL certificates to Personal Test Certificates (Free Edition) and upgraded certificates (valid for 12 months) to Personal Test Certificates (Pro). See [Notice] Free Certificate Name Change for more information.
Quick selection
Scenario 1: Personal, development, or test use
Use cases: Ideal for non-commercial and non-production purposes, such as personal blogs, portfolio websites, local development environments, CI/CD testing pipelines, and educational demonstrations.
Key needs: Low cost, fast deployment, and no need for high availability.
Recommended certificate types:
Individual Test Certificate (Free): Suitable for cost-sensitive users. This certificate is valid for 90 days. You can apply for up to 20 certificates each calendar year and must manually renew it upon expiration.
Individual Test Certificate (Pro): Ideal for users who want to reduce maintenance. This low-cost certificate is valid for one year, reducing the need for frequent renewals.
NoteBoth Individual Test Certificate (Free) and Individual Test Certificate (Pro) are DigiCert-branded DV single-domain certificates.
Important notes:
Neither certificate type is covered by a Service-Level Agreement (SLA). Do not use these certificates in any production environment that requires high availability.
For more information about the restrictions and features of these two certificate types, see Comparison: Personal Test Certificates vs. Commercial Certificates.
Scenario 2: SMEs, e-commerce, and mini programs
Use cases: Public-facing production systems such as corporate websites, small to medium-sized e-commerce platforms, backend services for WeChat mini programs, and SaaS application gateways.
Key needs: Stable HTTPS encryption, a moderate level of trust, and high cost-effectiveness.
Recommended certificate type: DV wildcard certificate or OV single-domain certificate.
Validation level: DV or OV.
Domain support: Wildcard (
*.aliyundoc.com) or single domain.Recommended brands: International brands (Rapid, GeoTrust, DigiCert) and Chinese domestic brands (WoSign, vTrus).
Important notes:
To protect multiple subdomains, a wildcard certificate is recommended.
If you want to display your company's information in the certificate to enhance user trust, choose an OV certificate.
Scenario 3: Finance, government, or high-trust services
Use cases: Mission-critical systems with extremely high security and compliance requirements, such as online banking, securities trading systems, government service platforms, large enterprise customer portals, and payment gateways.
Key needs: The highest level of identity assurance, industry compliance, and brand credibility.
Recommended certificate type: EV certificate or OV certificate.
Validation level: EV / OV.
Domain support: Single or multiple domains, depending on the business architecture. EV certificates do not support wildcard domains due to industry standard limitations. If you need a wildcard certificate, choose an OV certificate.
Recommended brands: International brands (GeoTrust, GlobalSign, DigiCert) and Chinese domestic brands (CFCA, vTrus).
Important notes:
Major modern browsers, such as Chrome, Edge, and Safari, no longer display the company name directly in the address bar (the "green bar"). Company information now appears in the certificate details panel.
EV certificates still provide the highest standard of identity verification and have full legal validity. They remain the top choice for finance and government systems to prevent phishing attacks and build user trust.
Industry examples:
Industry
Example
Certificate brand
Certificate type
Encryption algorithm
Domain type
Finance and Banking
Bank of China
DigiCert
EV
RSA
Single domain
Internet and Finance
Alibaba Cloud, Taobao, Tmall
GlobalSign
OV
RSA
Wildcard domain
Sina, Toutiao
GeoTrust
Shanghai Gold Exchange
CFCA
Scenario 4: Special requirements
Chinese cryptographic algorithm (SM2) compliance
Use cases: Government cloud platforms, financial information systems, and critical infrastructure that must use Chinese cryptographic algorithms (SM2) to comply with the Regulations on the Administration of Commercial Cryptography.
Recommended certificate type: SM2 certificate.
Validation level: OV / EV (depending on the brand).
Domain support: Single domain or wildcard domain.
Recommended brands: vTrus, CFCA, WoSign.
Important notes: Before you use an SM2 certificate, ensure your server software supports the SM SSL/TLS protocol stack, such as Tongsuo or an SM-enabled version of Nginx.
Public IP address access
Use cases: Devices or systems that serve traffic directly over a public IPv4 address and cannot be configured with a domain name, such as IoT gateways, edge servers, or legacy systems.
Recommended certificate type: OV single-domain certificate (supports IP).
Validation level: OV.
Domain support: Public IPv4 address (only for specific brands).
Recommended brands: International brands (GlobalSign, DigiCert, GeoTrust) and Chinese domestic brands (vTrus, CFCA).
Important notes: Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust, vTrus, and CFCA support binding to an IP address.
If the scenarios above do not meet your needs, see the advanced selection section. You can also visit the product page or consult a technical expert using the Expert One-on-One Service in the console.
Selection parameters
Selection process
Use this guide to select a certificate that fits your business needs:
Step 1: Certificate category
For personal projects, development, testing, or learning demos → Choose a Personal Test Certificate (Free Edition or Pro).
NotePersonal Test Certificate (Free Edition or Pro) only supports the DV validation level and the RSA algorithm.
For a production environment or external-facing service → Choose a Commercial Certificate and proceed to Step 2.
Step 2: Validation level
If you only need basic HTTPS encryption and do not need to display company information → Choose DV.
To display your organization's identity in the certificate and build user trust → Choose OV.
If you operate in a high-compliance sector such as finance, government, or payments → Choose EV.
NoteEV certificates do not support wildcard domains.
Step 3: Domain type
To protect only a single domain (e.g.,
www.example.com) → Choose a single-domain certificate.To protect all subdomains under the same root domain (e.g.,
*.example.com) → Choose a wildcard certificate.To protect multiple different domains (e.g.,
a.com+b.com) → Choose a multi-domain certificate.To protect both wildcard and single domains → Choose a hybrid-domain certificate.
To secure a public IP address directly (without a domain) → Choose a certificate that supports IP addresses (only some OV certificates support this feature).
Step 4: Encryption algorithm
For the widest compatibility (compatible with older devices and browsers) → Choose the RSA algorithm.
For higher performance and stronger security (ideal for mobile, IoT, etc.) → Choose the ECC algorithm.
If your business must meet SM cryptographic compliance requirements (for government, finance, state-owned enterprises, etc.) → Choose the SM2 algorithm (requires a domestic brand).
NoteIf you have no specific requirements, we recommend the RSA algorithm for maximum compatibility.
Step 5: Certificate brand
Based on your budget and preferences, review the Pricing Information and select a brand from Certificate Brands.
Certificate types
Certificate Management Service (Original SSL Certificate) offers two types of certificates: Individual Test Certificate (Formerly Free Certificate) and Commercial Certificates. The Individual Test Certificate (Formerly Free Certificate) category includes Individual Test Certificate (Free) and Individual Test Certificate (Pro).
Free SSL certificates (Personal Test Certificates) are issued under the DigiCert brand. When purchasing a commercial certificate, you can also select the DigiCert brand based on your business needs, and choose from single-domain or wildcard domain specifications.
Related concepts:
Remaining validity carryover: When you renew a certificate with a new one of the same brand and type before it expires, the new certificate's validity period is extended by the remaining validity from the old one. For example, if your old certificate expires on August 1, 2024, and you complete the renewal and issuance on July 20, 2024, the new certificate is valid from July 20, 2024, to August 1, 2025.
Certificate consolidation request: You can combine multiple certificates (domains) of the same brand and validation level into a single certificate to simplify application and management. For more information, see Certificate Consolidation Request.
OCSP Stability: The Online Certificate Status Protocol (OCSP) checks in real time whether a certificate has been revoked. Stability refers to the high availability and rapid response of the CA's query service, which prevents website access delays or connection failures.
SSL Certificate Management V2.0 does not support renewals or certificate consolidation requests. For more information, see SSL Certificate Management V2.0 Release Notes.
Individual Test Certificate vs. Commercial Certificate
Individual Test Certificates (including Free and Pro editions) must not be used in a production environment. Use a Commercial Certificates for enterprise-level services.
Both Individual Test Certificate (Free) and Individual Test Certificate (Pro) are DigiCert-branded DV single-domain certificates.
Feature | Individual test certificate | Commercial Certificates |
Use cases | Personal websites, development, and testing. | All production environment services. |
SLA guarantee | None | Provided. For more information, see Related Agreements. |
OCSP stability | Lower. Stability is not guaranteed. | High. Stable validation is guaranteed. |
CA center security insurance payout | Not supported | Supported |
Validity period |
For more information, see Validity Period Changes. |
For more information, see Validity Period Changes. |
Supported encryption algorithms | RSA | RSA, ECC. Some brands also support SM2. |
Compatibility | Fair | High |
Multi-year certificate | Not supported | Supported for a service period of up to three years. |
Remaining validity carryover | Not supported | Supported |
Certificate quantity limit |
| No limit |
Supported domain types | Single-domain only. You cannot apply for an Individual Test Certificate for domains with special TLDs, such as | Single-domain, wildcard domain, multi-domain, and hybrid domain. |
IP certificate | Not supported | Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust, vTrus, and CFCA support IP address binding. |
Domain replacement | Not supported | Rapid (DV) and DigiCert (DV) certificates do not support domain replacement. Commercial certificates of other brands and types support domain replacement. |
Supported validation levels | DV | DV, OV, and EV |
Supported certificate brands | DigiCert |
|
Certificate consolidation request | Not supported | Supported |
Customer support |
| Supported |
Validation levels (DV / OV / EV)
SSL certificates are classified by validation level: DV (Domain Validated), OV (Organization Validated), and EV (Extended Validation). These validation levels differ in required verification materials, average issuance time, and browser trust indicators.
For personal websites without company information, you can only apply for a personal test certificate or DV SSL certificate.
Feature | DV (Domain Validated) | OV (Organization Validated) | EV (Extended Validation) |
Use case | Personal websites, app services, and development or testing environments. | Government organizations, small to medium-sized enterprises (SMEs), and educational institutions. | E-commerce sites, financial institutions, and large enterprises that handle transactions or sensitive private data. |
Validation level | Low. The certificate authority (CA) only verifies domain ownership. | Medium. The CA verifies the organization's real-world identity. | High. The CA strictly verifies the organization's identity and legal status. |
Verification method and documents | DNS verification. | Email or phone. Requires domain verification and submission of company information, a business license, and other documents. | Email or phone. Requires domain verification and submission of company information, a business license, and other documents.
|
Security level | Basic. Encrypts data in transit. The CA only verifies that the applicant controls the domain, so it does not confirm the identity of the organization behind the website. | Enhanced. Encrypts data in transit and displays the organization's verified identity in the certificate details. The CA verifies the organization's legal existence and physical address. | Maximum. Provides the highest level of identity assurance. The CA performs the most rigorous vetting, including verifying the organization's legal, physical, and operational existence. The certificate contains the verified organization name visible in browser certificate details. |
Browser display | Displays the padlock icon and HTTPS indicator in the address bar. No organization identity is shown. | Displays the padlock icon and HTTPS indicator. The organization's verified name appears in the certificate details panel when users inspect the certificate. | Displays the padlock icon and HTTPS indicator. Modern browsers no longer show a green address bar, but the organization's verified identity is prominently displayed in the certificate details panel, providing the strongest visual trust signal available. |
Price level | Lowest | Medium (DV < OV) | Highest (OV < EV) |
Average issuance time | 1–15 minutes. | 5 calendar days | 5 calendar days |
How to choose a validation level
Use the following guidance to select the right validation level for your scenario:
DV certificate: Best for personal websites, mobile apps, or enterprise test environments. Choose DV when you only need basic HTTPS encryption without identity verification. It is the most cost-effective option with the fastest issuance time.
OV certificate: Recommended for government organizations, small to medium-sized enterprises (SMEs), and educational institutions that need to display their verified identity to visitors. Choose OV when your users need to know that a real, verified organization operates the website.
EV certificate: The top choice for large enterprises, financial institutions, and websites handling transactions or highly sensitive data. Choose EV when your business requires the highest level of identity trust and legal assurance. EV certificates undergo the most rigorous validation process.
Price hierarchy: DV certificates are the most affordable, followed by OV, with EV certificates at the highest price tier (DV < OV < EV). For detailed pricing, see Pricing Information.
Domain types
An SSL certificate must be bound to a domain name or IP address to take effect. The number and types of domains you need to secure determine the required certificate type and quantity. Alibaba Cloud supports certificates for the following domain types: single domain, multi-domain, wildcard domain, and hybrid domain. The following table compares these domain types and describes their corresponding certificates.
Domain type | Description | Notes |
Single domain | Binds one certificate to a single, fully qualified domain name, such as | Supports DV, OV, and EV validation levels. |
Multi-domain | Binds one certificate to multiple domains or IP addresses. By default, you can add up to 5 domains, and you can add more after purchase, up to a maximum of 250. | To secure an IP address, you must use an OV certificate from a brand that supports IP addresses. |
Wildcard domain | Uses the format For example, a wildcard domain |
|
Hybrid domain | A single certificate contains a mix of domain types, such as Note During the purchase or application process, you can merge multiple certificates of the same brand and type to create a hybrid domain certificate. For instructions, see Purchase a commercial SSL certificate or Certificate Consolidation Request. |
|
IP address | Binds a single certificate to one public IPv4 address. | Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust, vTrus, and CFCA support IP address binding. |
After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.
Encryption algorithm (RSA / ECC / SM2)
International standard algorithms
RSA: An asymmetric encryption algorithm known for its excellent compatibility and widespread adoption.
ECC (elliptic curve cryptography): A modern asymmetric encryption algorithm that offers stronger security, faster performance, and lower resource consumption compared to RSA and is now widely supported by major browsers.
Item | RSA algorithm | ECC algorithm |
Security and key length | Requires a longer key length. Supported key lengths are 2048-bit and 4096-bit. | Achieves the same security level with a much smaller key length.
|
Performance / Speed | Slower. | Faster, especially in resource-constrained environments like mobile and Internet of Things (IoT) devices. |
Memory and CPU usage | High. | Low. |
Compatibility | High. | Good, but not as widespread as RSA. |
Chinese national standard algorithms
SM2: An elliptic curve public-key cryptography algorithm published by the State Cryptography Administration of China. It is used in China's commercial cryptography system as an alternative to RSA. SSL certificates using the SM2 algorithm are intended for users who require SM cryptographic compliance.
The following table lists the encryption algorithms supported by each SSL certificate brand and type.
Certificate brand | Certificate type | RSA | ECC | SM2 | |||||||
Signature algorithm | Key length | Signature algorithm | Key length | Signature algorithm | Key length | ||||||
SHA256withRSA | SHA384withRSA | 2048 | 4096 | SHA256withECDSA | SHA384withECDSA | prime256v1 | secp384r1 | SM3withSM2 | sm2p256v1 | ||
DigiCert | DV | ||||||||||
OV | |||||||||||
EV | |||||||||||
GeoTrust | OV | ||||||||||
EV | |||||||||||
GlobalSign | DV | ||||||||||
OV | |||||||||||
Rapid | DV | ||||||||||
vTrus (domestic brand) | DV | ||||||||||
OV | |||||||||||
CFCA (domestic brand) | OV | ||||||||||
EV | |||||||||||
WoSign (domestic brand) | DV | ||||||||||
By default, SSL certificates are signed with the SHA256withRSA or SHA256withECDSA signature algorithm. You cannot select a signature algorithm that uses the SHA384 hash function on the Certificate Management Service console. To issue a certificate with this signature algorithm, you must create a CSR file locally and upload it to the console. For more information, see How to Create a CSR File and Upload CSR.
Certificate brands
When choosing a certificate brand, consider factors such as its supported validation levels, domain types, encryption algorithms, and price, as well as your business requirements and budget.
If you need help choosing a certificate brand, contact a technical expert through pre-sales/post-sales support. For more information, see expert one-on-one service.
International brands
Certificate brand | Description | Advantages |
DigiCert | DigiCert (formerly Symantec) is a leading global certificate authority (CA) and a trusted SSL certificate brand. |
|
Rapid | Rapid is a sub-brand of DigiCert. It was formerly known as the GeoTrust DV certificate and was renamed to Rapid in late January 2022. For more information, see [Change] Notice on GeoTrust DV Certificate Name Change. | Supports the RSA encryption algorithm |
GeoTrust | GeoTrust is a sub-brand of DigiCert (formerly Symantec) and is the world's second-largest certificate authority (CA). |
|
GlobalSign | GlobalSign is one of the earliest certificate authorities (CAs). The company specializes in cybersecurity certification and digital certificate services and is a trusted provider of SSL certificates. Major e-commerce websites such as Tmall and Taobao use GlobalSign brand certificates. |
|
Domestic brands
Certificate brand | Description | Advantages |
CFCA | China Financial Certification Authority (CFCA) is WebTrust-certified, adheres to globally unified auditing standards, and is a member of the CA/Browser Forum. CFCA certificates meet the SSL compliance requirements for domestic industries like government and finance. |
Note CFCA brand certificates do not support iOS 10.1 or earlier, or Android 6.0 or earlier. |
vTrus | vTrus is a domestic SSL certificate brand from Tianwei Trust. Built on international trust roots, it balances domestic compliance needs with compatibility across major global environments. |
|
WoSign | WoSign is a domestic SSL certificate brand suited for cost-sensitive scenarios. |
|
Supported algorithms and domain types by brand:
If you are familiar with certificate types, domain types, encryption algorithms, and certificate brands, use the table below to quickly select the right certificate.
Certificate brand | Type | Encryption algorithm | Domain type |
DigiCert | DV (personal test certificate) | RSA | single domain |
OV | RSA, ECC | single domain, multi-domain, wildcard domain | |
EV | RSA | single domain, multi-domain | |
GeoTrust | OV | RSA, ECC | single domain, multi-domain, wildcard domain |
EV | RSA | single domain, multi-domain | |
GlobalSign | DV | RSA | single domain, wildcard domain |
OV | RSA, ECC | single domain, multi-domain, wildcard domain | |
Rapid | DV | RSA | single domain, wildcard domain |
vTrus (domestic brand) | DV | RSA, SM2 | single domain, wildcard domain |
OV | RSA, SM2 | single domain, multi-domain, wildcard domain | |
CFCA (domestic brand) | OV | RSA, SM2 | single domain, multi-domain, wildcard domain |
EV | RSA | single domain, multi-domain | |
WoSign (domestic brand) | DV | RSA, SM2 | single domain, wildcard domain |
Pricing
The price of an SSL certificate varies by its type, validation level, domain type, and brand. Choose a certificate that fits your requirements and budget.
The prices below are for reference only. The final price is shown on the Certificate Service purchase page.
Brand category | Certificate brand | Validation level | Domain type | Price (CNY/year) | Notes |
International brands | DigiCert | Individual Test Certificate (Free) | Single domain | Free | / |
Individual Test Certificate (Pro) | Single domain | 68 (The validity period changes to six months starting February 25, 2026. For more information, see Validity Period Changes.) | / | ||
DV | Wildcard domain | 2,000 | / | ||
OV | Single domain |
| / | ||
Wildcard domain | 40,000 | / | |||
EV | Single domain |
| / | ||
GeoTrust | OV | Single domain | 2,778 | / | |
Wildcard domain | 7,278 | / | |||
Multi-domain | 12,290 | Includes 5 single domains by default. | |||
EV | Single domain | 6,000 | / | ||
Multi-domain | 19,260 | Includes 5 single domains by default. | |||
GlobalSign | DV | Single domain | 1,980 | / | |
Wildcard domain | 6,930 | / | |||
OV | Single domain | 3,728 | / | ||
Wildcard domain | 13,048 | / | |||
Rapid | DV | Single domain | 378 | / | |
Wildcard domain | 1,788 | / | |||
Domestic brands (SM2) | vTrus | DV | Single domain | 1,200 | / |
Wildcard domain | 3,000 | / | |||
OV | Single domain | 4,000 | / | ||
Wildcard domain | 12,000 | / | |||
CFCA | OV | Single domain | 4,000 | / | |
Wildcard domain | 15,000 | / | |||
EV | Single domain | 10,000 | / | ||
WoSign | DV | Single domain | 880 | / | |
Wildcard domain | 2,640 | / |
Purchase a certificate
Personal test certificate: Buy a Personal Test Certificate
Commercial certificate: Buy a Commercial Certificate
FAQ
Expired personal test certificates
Personal test certificates do not support automatic renewal. Before the certificate expires, log on to the Certificate Management Service (Original SSL Certificate) console to apply for a new certificate and replace the old one on your web server.
If you reach the annual limit of 20 certificates, you can purchase a commercial certificate instead.
Certificates for IP addresses
Choose an OV single-domain certificate that supports IP addresses. When purchasing, select an OV certificate from one of the following brands: GlobalSign, DigiCert, GeoTrust, vTrus, or CFCA. When applying, enter your public IP address.
Redeployment after renewal or reissuance
Yes. Each renewal or reissuance generates a new certificate. You must download the new certificate and deploy it to your web server to replace the old one.
If you renew your certificate for multiple years and used Cloud Product Deployment for the previous certificate, Certificate Management Service (Original SSL Certificate) will automatically deploy the new one using Cloud Product Managed Deployment after it is issued. If the deployment fails, you will receive a notification by text message, email, and internal message.
Does a wildcard certificate (for example, *.aliyundoc.com) include the root domain (aliyundoc.com)?
Yes. A certificate for a wildcard domain also includes the root domain for free. For example, a certificate for *.aliyundoc.com also protects aliyundoc.com.
After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.
SM (SM2) certificates
SM2 is a commercial cryptographic algorithm published by the State Cryptography Administration of China. If your business, particularly for government, finance, or state-owned enterprise projects, requires "SM cryptography transformation" or "classified protection compliance", choose a certificate from a domestic brand that supports the SM2 algorithm. For general websites and overseas services, the standard international RSA or ECC algorithms are sufficient.